Mastering tcpdump: Practical Commands for Network Packet Capture and Analysis

Introduction

tcpdump is a command-line utility for capturing and analyzing network traffic. It supports filtering by network layer, protocol, host, network, or port, and offers logical operators such as and, or, and not to refine output.

Basic Usage Examples

Capture on the default interface (no parameters): tcpdump Capture on a specific interface (e.g., en0): tcpdump -i en0 Capture traffic between the local host and a remote host (e.g., 182.254.38.55): tcpdump host 182.254.38.55 Filter by source or destination host :

tcpdump src host hostname

tcpdump dst host hostname

If neither src nor dst is specified, packets with the given host as either source or destination are captured: tcpdump host hostname Filter by specific port (e.g., port 3000): tcpdump port 3000 Capture only TCP or UDP packets : tcpdump tcp Combine source host, port, and protocol (e.g., TCP packets from 123.207.116.169 on port 22):

tcpdump tcp port 22 and src host 123.207.116.169

Capture traffic between two specific hosts : tcpdump ip host 210.27.48.1 and 210.27.48.2 To exclude a host from the capture:

tcpdump ip host 210.27.48.1 and ! 210.27.48.2

More Detailed Example

Capture the first 100 TCP packets on interface eth1, ignoring timestamps, with a snap length of 0, excluding traffic to port 22, and limiting to the 192.168.1.0/24 network, then write to target.cap:

tcpdump tcp -i eth1 -t -s 0 -c 100 and dst port ! 22 and src net 192.168.1.0/24 -w ./target.cap

Capture HTTP traffic from a specific host:

sudo tcpdump -i any -s 0 -A 'tcp port 80 and host example.com'

Limit the capture to a specific number of packets (e.g., 1000) and then exit: tcpdump -c 1000 Save captured packets to a file; note that tcpdump buffers output and writes to disk only when the buffer is full or the program exits. To force immediate write (at a performance cost), add -U:

tcpdump -n -vvv -c 1000 -w /tmp/tcpdump_save.cap

Real‑World Troubleshooting Scenario

Consider a server running a Node.js application on port 3000 behind an Nginx reverse proxy listening on port 80. A client at 183.14.132.117 reports no response. Steps to diagnose:

Verify the request reaches the Node.js server (check its logs).

Confirm Nginx forwards the request to the Node.js server. Capture traffic on the proxy port (e.g., 8383): tcpdump port 8383 If no output appears, the traffic may be on the loopback interface. Capture on lo: tcpdump port 8383 -i lo Ensure Nginx preserves the original Host header; otherwise the Node.js server sees the source host as 127.0.0.1. Capture only packets from the client IP:

tcpdump port 8383 -i lo and src host 183.14.132.117

Finally, verify the request reaches the server on the expected port:

tcpdump -n tcp port 8383 -i lo and src host 183.14.132.117

These commands illustrate how tcpdump can be used to pinpoint where network traffic is lost in a typical web service deployment.